IBM completes successful field trials on Fully Homomorphic Encryption:
Yesterday, Ars spoke with IBM Senior Research Scientist Flavio Bergamaschi about the company's recent successful field trials of Fully Homomorphic Encryption. We suspect many of you will have the same questions that we did—beginning with "what is Fully Homomorphic Encryption?"
FHE is a type of encryption that allows direct mathematical operations on the encrypted data. Upon decryption, the results will be correct. For example, you might encrypt 2, 3, and 7 and send the three encrypted values to a third party. If you then ask the third party to add the first and second values, then multiply the result by the third value and return the result to you, you can then decrypt that result—and get 35.
You don't ever have to share a key with the third party doing the computation; the data remains encrypted with a key the third party never received. So, while the third party performed the operations you asked it to, it never knew the values of either the inputs or the output. You can also ask the third party to perform mathematical or logical operations of the encrypted data with non-encrypted data—for example, in pseudocode, FHE_decrypt(FHE_encrypt(2) * 5) equals 10.
[...] Although Fully Homomorphic Encryption makes things possible that otherwise would not be, it comes at a steep cost. Above, we can see charts indicating the additional compute power and memory resources required to operate on FHE-encrypted machine-learning models—roughly 40 to 50 times the compute and 10 to 20 times the RAM that would be required to do the same work on unencrypted models.
[...] Each operation performed on a floating-point value decreases its accuracy a little bit—a very small amount for additive operations, and a larger one for multiplicative. Since the FHE encryption and decryption themselves are mathematical operations, this adds a small amount of additional degradation to the accuracy of the floating-point values.
[...] As daunting as the performance penalties for FHE may be, they're well under the threshold for usefulness—Bergamaschi told us that IBM initially estimated that the minimum efficiency to make FHE useful in the real world would be on the order of 1,000:1. With penalties well under 100:1, IBM contracted with one large American bank and one large European bank to perform real-world field trials of FHE techniques, using live data.
[...] IBM's Homomorphic Encryption algorithms use lattice-based encryption, are significantly quantum-computing resistant, and are available as open source libraries for Linux, MacOS, and iOS. Support for Android is on its way.
(Score: 0) by Anonymous Coward on Sunday August 02 2020, @04:57PM (2 children)
well there goes the handbasket: now the world economy will be ruled by the shadow council of accountants.
you think you're seeing the real numbers? nope you've been homomorphed, lol's!
you think you had it bad with "quantitative easying"? betting youre addiction to the system will make you swallow the bitter pill of guaranteed future over time work to save a present prescribed debt?
nope, now the bean counters can unite and lie with numbers that add up! the matrix has you!
(Score: 0) by Anonymous Coward on Sunday August 02 2020, @08:34PM
Stop being so Homomorphic or apk is going to be offended.
(Score: 2) by DannyB on Monday August 03 2020, @06:22PM
The lawyers will not permit it.
Is there a chemotherapy treatment for excessively low blood alcohol level?
(Score: 3, Interesting) by Anonymous Coward on Sunday August 02 2020, @05:01PM (7 children)
This statement doesn't make any sense. In floating-point arithmetic, multiplication (assuming no over/underflow) of two values will introduce negligible additional (relative) error: the relative error of the result is essentially bounded by the product of the relative error of the inputs (within a small constant). This is because the most significant digits of the multiplication result depend only on the most significant digits of the input so any small error on the inputs has only a small effect on the result.
However floating-point addition has no such simple bounds on the error as addition can potentially cancel every single correct digit.
This makes me think they must not actually be using floating-point arithmetic? For example, fixed point multiplication does behave very badly in this regard...
(Score: 1, Interesting) by Anonymous Coward on Sunday August 02 2020, @05:35PM (2 children)
Many people in CS, particularly those coming from other branches of mathematics, have no understanding of how floating point actually works. The article is flat out wrong about addition rounding errors always being smaller than multiplication errors.
(Score: 2) by FatPhil on Sunday August 02 2020, @08:39PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by DannyB on Monday August 03 2020, @06:23PM
A 64-bit float can hold all possible real number values, in the same way that a 64-bit integer can hold all possible integer values.
Is there a chemotherapy treatment for excessively low blood alcohol level?
(Score: 2, Interesting) by Anonymous Coward on Sunday August 02 2020, @06:28PM (2 children)
Since the purpose of floating point arithmetic is to get the wrong answer quickly, it shouldn't come as any surprise that it doesn't work very well in such a scenario.
While FHE is a new-ish development, I find it weird that a proof of concept is considered an important result. The mathematics have previously been proven, and there are already libraries that provide primitives for encrypted operations. The next important development is an application that makes meaningful use of the capability.
(Score: 2) by HiThere on Sunday August 02 2020, @08:14PM
Perhaps. But the additional costs required to use it were interesting.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by darkfeline on Sunday August 02 2020, @09:27PM
It's a proof of concept with good enough tradeoffs. My understanding is that the state of the art was that it could be done, but no one did it well enough to be plausibly practical.
Join the SDF Public Access UNIX System today!
(Score: 2) by PiMuNu on Monday August 03 2020, @09:56AM
Also weird, FTFA:
> was FHE a little bit lossy? Not exactly, Bergamaschi explained. The model in use is based on floating-point data, not integer—and it's the
> floats themselves that are a little lossy, not the encryption.
The claim is that this encrypted floating point arithmetic but "more lossy" than regular floating point arithmetic. Do they need to encode floating points into some other representation to do the FHE and then decode them back into floating point representation? Do they reducing the precision to get to the claimed performance? Why does integer arithmetic not get affected in the same way - I realise floating points have a slightly different representation to integers, but it isn't all that different?
Naively encryption is just a mapping one set of bits to an obfuscated set of bits and back - and is lossless. This is obviously more complicated, but the logic here I find a bit more confusing.
(Score: 5, Insightful) by Mojibake Tengu on Sunday August 02 2020, @05:24PM
I am not completely sure if I'd trust the tech[1], but over there is even a standard for it, which I suppose IBM adhere to:
http://homomorphicencryption.org/wp-content/uploads/2018/11/HomomorphicEncryptionStandardv1.1.pdf [homomorphicencryption.org]
[1]Lattices are not convincingly resistant enough to quantum computing for me, but consider this a rant only for now.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 3, Insightful) by Runaway1956 on Sunday August 02 2020, @05:28PM (2 children)
This allows you to work securely on untrusted hardware, ie, "the cloud"?
FFS, why are you using untrusted hardware, if you need security? This looks like a solution to a problem that never should have existed.
So, what is the next step? "Bill, they have ultra-cheap cloud services in China now." "Yeah, but we can't trust China, they'll steal all of our secrets." "But, Bill, we can use homomorphic encryption to keep our secrets secret!" "Dammit, Jim, I'm not moving to the cloud. Next month, the Chinese are going to break homomorphing anyway."
Hail to the Nibbler in Chief.
(Score: 0) by Anonymous Coward on Sunday August 02 2020, @05:40PM
Cost. If you only need it occasionally then it can be far cheaper to rent computing power than buy it. All of the world's top supercomputers that aren't military or weather prediction rent time to third parties. This also has implications for distributed computing projects like Folding@Home.
(Score: 2) by FatPhil on Sunday August 02 2020, @08:27PM
The whole point of encryption is to *permit* untusted components at every other stage apart from encryption or decryption.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 5, Funny) by Rosco P. Coltrane on Sunday August 02 2020, @05:55PM (1 child)
All it takes is to steganographically hide your data in pictures of Elton John.
(Score: 2, Funny) by Anonymous Coward on Sunday August 02 2020, @06:58PM
Isn't that homoerotic encryption?
(Score: 1, Funny) by Anonymous Coward on Sunday August 02 2020, @05:57PM (1 child)
FWIW, I am very highly offended by the title of this article? I thought this was a SFW site? I've reported the offense to Google, hopefully they will demonitize you.
(Score: 5, Funny) by FatPhil on Sunday August 02 2020, @08:28PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: -1, Offtopic) by Anonymous Coward on Sunday August 02 2020, @06:35PM
You should have used Gamemaker. Why didn't you? Because you're a mere Gamemakerlessness extremacy, that's why! Wow! Your true ferocity has been revealed to all, and it's simply the comicalness of ultimatum What will you do now that your public image has been utterly destroyed? Will you wallow in despair? Or will you...
Return... to Gamemakerdom!
Return, return, return, return, return to Gamemakerdoooooooooooooooooooooooooooooooooooooooooooooooooooooom!
(Score: -1, Flamebait) by Anonymous Coward on Sunday August 02 2020, @08:13PM
IBM can be as homomorphic as they want to be in the permissive Western world, thanks to the groundbreaking work by SJWs, but it's likely their sales reps will be executed if they try selling these homomorphic chips in the Muslim world.
(Score: 0) by Anonymous Coward on Sunday August 02 2020, @09:05PM
...is crypto-fluid, you bigots.
(Score: 0) by Anonymous Coward on Sunday August 02 2020, @09:09PM
n. fear, hatred, or mistrust of homomorphic
(Score: 1, Flamebait) by Subsentient on Sunday August 02 2020, @09:11PM
IBM Completes Successful Field Trials of Fully Homoerotic Erections
:^D
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 2) by FatPhil on Sunday August 02 2020, @09:16PM (12 children)
> For example, you might encrypt 2, 3, and 7 and send the three encrypted values to a third party. If you then ask the third party to add the first and second values, then multiply the result by the third value and return the result to you, you can then decrypt that result—and get 35.
Let's just formulate that as:
D((E(2)+E(3))*E(7)) = 35
By generalisation, this should also be true:
D(E(2)*E(5)) = 10
And later:
> in pseudocode, FHE_decrypt(FHE_encrypt(2) * 5) equals 10.
Or in my syntax:
D(E(2)*5) = 10
So, given the expression: D(x) = 10, we have from the first equation x=E(2)*E(5), and from the second E(2)*5.
I can only conclude that E(5)=5. Wow, so encrypt, much secure.
Lesson: always look at the mathematical papers, or ask for an explanation from someone who understands the principles of the algorithm, and don't rely on popular journalism.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by shortscreen on Sunday August 02 2020, @09:28PM (4 children)
You don't get back 35. You get something which decrypts to 35.
(Score: 2) by FatPhil on Monday August 03 2020, @12:38AM (3 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by coolgopher on Monday August 03 2020, @06:33AM (2 children)
I believe what shortscreen was trying to say is that the third party does not have the knowledge that the resulting blob will decrypt to 35. The third party only knows that it has three ciphertexts, which after performing the requested operations results in a fourth ciphertext.
(Score: 2) by FatPhil on Monday August 03 2020, @06:39AM (1 child)
And it's irrelevant to my point.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Tuesday August 04 2020, @07:52AM
Your point is, regardless, wrong.
There are no claims about density nor 1:1-ness, so nothing says that X != Y implies D(X) != D(Y).
And "by generalization" utterly fails. You need D(E(5) * 2) = D(E(5) * E(2)) for that, which isn't required by this form of homomorphism.
(Score: 1) by anubi on Sunday August 02 2020, @10:55PM (1 child)
I am still a bit confused on why this isn't yet another hash technique.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Informative) by FatPhil on Monday August 03 2020, @12:39AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: -1, Redundant) by Anonymous Coward on Monday August 03 2020, @03:26AM (2 children)
?? I don't understand what you're criticizing. Your example there is wrong, it should be:
> in pseudocode, FHE_decrypt(FHE_encrypt(2) * FHE_encrypt(5)) equals 10. (emphasis mine)
Most of the math in FHE is over my head, but it involves complex data structures. "FHE_encrypt(2) * 5" is an impossible operation because FHE_encrypt(2) results in something more complex than, say, a 4x4 matrix. "FHE_encrypt(2) * 5" would be like saying, "3 * rectangle" or "4x4 matrix + 7" or "325 degrees + 4 liters". It has to be FHE_encrypt(2) * FHE_encrypt(5).
An outside attacker can't just trivially reverse engineer all of the numbers involved.
(Score: 0) by Anonymous Coward on Monday August 03 2020, @04:23AM (1 child)
The statement "In pseudocode, FHE_decrypt(FHE_encrypt(2) * 5) equals 10" is a direct quote from the article.
(Score: 0) by Anonymous Coward on Monday August 03 2020, @11:13AM
Sorry, I missed that. Thanks for the correction.
(Score: 0) by Anonymous Coward on Monday August 03 2020, @08:03AM (1 child)
Because you cannot arbitrarily mix operands that are encrypted and those not encrypted in the homomorphic systems people actually use like that. You cannot have a D(E(2)*5) = 10 equation as the systems won't allow you to do the operations you want for obvious reasons.
(Score: 0) by Anonymous Coward on Tuesday August 04 2020, @07:36AM
I didn't explain that very well. You cannot arbitrarily mix operands of different types in the same operations. So you could have one multiplication operation that allows you to multiply two encrypted values, one that allows you to multiply two clear values, and a third that allows you to multiply one encrypted and one clear operand. This makes it look like you can construct a D(E(2)*E(5)) = 10 and D(E(2)*5) = 10 at the same time, set them equal to each other, and do the elimination you do. But they are not the same operation. Instead you would get something like D(E(2)*1E(5)) = 10 and D(E(2)*35) = 10. When you set them equal to each other, and cancel out the decryption step, you get E(2)*1E(5) = E(2)*35. There is no operation you can do to get E(5) = 5 because the same operation done on both sides to "divide" by E(2) will result in a wrong answer on one side or the other because you used the wrong type of operand.
(Score: 2) by jasassin on Monday August 03 2020, @06:08AM (7 children)
What purpose does this serve? What can you do with it in real life that is useful?
I honestly don't get it. A very very simple example would be very appreciated.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by FatPhil on Monday August 03 2020, @06:38AM
So you can have somoene you don't trust to know your secret data perform the process on your data without letting him know the data he's operating on.
It's esoteric, but it does remove the need for a layer of trust from some situations.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Monday August 03 2020, @09:26AM (5 children)
An example would be summary statistics when you need to maintain privacy. I give you blobs of encrypted data about people, you can compute the row counts, or mean age, or standard deviations of income, or lm frames, or whatever. This would allow me to put the encrypted but still usable sensitive data on one of the regular clusters instead of waiting multiple days/weeks for a slow desktop in the secure room or having to pay for the time on more expensive audited and approved clusters. It could be a lot more time/money efficient to do it that way on large sets of data instead of doing it another.
If that is still unclear, I can try again with another example or answer your questions.
(Score: 0) by Anonymous Coward on Monday August 03 2020, @05:55PM (4 children)
The question is wouldn't it usually be cheaper for me to just compute the data myself than for me to encrypt it, send it over to you, wait for you to compute it and send it back, then decrypt it?
I can't imagine too many situations where this wouldn't be the case.
(Score: 0) by Anonymous Coward on Monday August 03 2020, @06:38PM
There are a few cases.
It allows someone to cast a vote, receive verification that the vote was counted, but not reveal the way they voted to anyone.
It allows a group of people who don't trust each other to determine the result of some calculation that affects all of them. For example, a group could determine who won a lottery without trusting each other someone external.
It allows for anonymous collection of statistics which can be totaled without having to reveal anyone's individual contributions.
It allows a group of people to create an encrypted document that can only be decrypted if a certain fraction of them agree, but without anyone having to share keys with each other.
(Score: 0) by Anonymous Coward on Monday August 03 2020, @08:44PM (2 children)
I'll give you a more specific example. I have a controlled data set that is in excess of 10 TB. It is approximately 600 columns and 10 million rows. Since it is controlled, I can only have it in unencrypted form on certain computers. While beefy, the most powerful machine I can run anything on is a single server desktop in the secure room and it very limited when compared to one of our clusters and is made worse because it is sharing jobs with other people. Jobs on that data set take literal weeks if not months; there are some things I'd love to do with the data but they would take years of wall time. Jobs on even larger sets of data but on a cluster take less than a week and most are a day. It is multiple orders of magnitude faster.
When comparing costs, encrypting the data once is a relatively cheap operation for the data as there are a finite number of values and most are repeated (e.g. true/false or categories coded as 1-5) or, if you want to use a unique scheme, it is still faster since each datum is only handled once. I can then have IT load that data onto the cluster SAN and spit back results in a day or two, instead of waiting relatively forever. Therefore, my productivity goes up because I can iterate on a single dataset faster and don't have to do as much context switching between multiple projects. It is also cheaper because we don't have to have excess capacity for worst-case situations all over the place or from bad scaling. There is a reason why clusters became a thing, after all. Additionally, I could use the cheaper general-purpose clusters instead of the more secure or approved clusters for that data, saving money that way. Depending on the exact job in question, I might be able to put it on an almost free but still very fast grid. Something that would give my boss a heart attack and get me fired if I suggested it on controlled data unencrypted.
(Score: 0) by Anonymous Coward on Tuesday August 04 2020, @07:58AM
This is exactly why health organizations, militaries, the EFF, and the Mozilla Foundation want this ability.
(Score: 0) by Anonymous Coward on Tuesday August 04 2020, @08:25AM
Also it bothers me very much that your post and other superb ones in this thread were not upvoted. Shame on Soylents for letting gold pass by unheeded.
Shame!